The Internet Industry Association (IIA) will accept public feedback for the next three weeks after completing its review of the icode – the ISP association’s voluntary code of conduct – with a view to a major update that will address mobile and other evolving security threats.
Originally launched in June 2010, the icode coordinates an industry-wide cyber-security response to provide a unified front in the fight against early identification and management of malware on Australian Internet services. Currently supported by over 30 ISPs representing over 90% of Australian Internet users, it is informed by initiatives such as the Australian Internet Security Initiative (AISI), which uses an ACMA-managed database to collate, identify and report on tens of thousands of malware threats each week.
The icode Review Taskforce’s effort to review and update the icode – which kicked off in July 2012 – is in large part driven by the emerging threat from mobile malware attacks, which have come front and centre as exploding mobile usage and corporate bring your own device (BYOD) programs draw the attention of malware authors the world over.
“We are in a very mobile environment given the number of tablets and smartphones, and moving to other devices out there,” IIA CEO Peter Lee told CSO Australia. “It’s important that the code is relevant to the devices that are connected to the Internet; all devices have the ability to be affected by malware.”
Among the proposed changes are adoption of the Domain-based Message Authentication, Reporting & Conformance (DMARC) anti-phishing initiative, which has been adopted by around 60% of global ISPs since it was established at the beginning of 2012.
Also on the agenda were active promotion of the AISI’s work, increased awareness of the predominance of email-borne Trojans, and several other initiatives flagged by the Department of Broadband, Communications, and the Digital Economy (DBCDE), which ran an icode review and delivered its icode Review Report with nine key recommendations.
Those recommendations include better use of quantitative data to measure the effectiveness of icode; clarification of what constitutes a ‘significant cyber security incident’; better collaboration between government and ISPs to improve communications around cyber-security events; that the term ‘Internet Service Provider’ be expanded to include mobile internet service providers; promotion of the icode Trustmark; clarification of when ISPs should notify customers once a compromised device is identified; timeframes for response; and more.
“While the icode is voluntary, there were some things within it that ISPs must do in relation to notifying and taking every step possible and reasonable to notify and work with customers believed to have an affected device, and to get that through to a point of resolution,” Lee said. “There’s a bit more within the code now that has been modified to reflect the obligations on ISPs and the actual objectives of the code.”
Public comments will be open until July 20, after which the IIA hopes to finalise the review within one or two months.